----- "David Lutterkort" <lutter(a)redhat.com> wrote:
Can you try this again with 'NETCF_DEBUG=1 ncftool', i.e.
set
NETCF_DEBUG in the environment ? That should spew out some more
details.
David
Thanks for the tip.
[root@localhost ~]# NETCF_DEBUG=1 ncftool
warning: augeas initialization had errors
please file a bug with the following lines in the bug report:
/augeas/files/etc/sysconfig/iptables/error = "parse_failed"
/augeas/files/etc/sysconfig/iptables/error/pos = "0"
/augeas/files/etc/sysconfig/iptables/error/line = "1"
/augeas/files/etc/sysconfig/iptables/error/char = "0"
/augeas/files/etc/sysconfig/iptables/error/lens =
"/usr/share/augeas/lenses/dist/iptables.aug:59.10-.32"
/augeas/files/etc/sysconfig/iptables/error/message = "Iterated lens matched less than
it should"
Failed to initialize netcf
error: unspecified error
error: errors in loading some config files
[root@localhost sysconfig]# cat iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m limit --limit-burst 10 --limit 6/minute -j LOG --log-level 6
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT -m comment --comment "Forwarding
for VM bridges"
-A FORWARD -m limit --limit-burst 10 --limit 6/minute -j LOG --log-level 6
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
I also discovered that after no changes to any configurations,
a restart of the network makes ncftool/augeas happy.
[root@localhost sysconfig]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: net.ipv4.ip_forward = 0
[ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0:
Determining IP information for eth0... done.
[ OK ]
[root@localhost ~]# iptables -L -n|grep PHYS
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match
--physdev-is-bridged /* Forwarding for VM bridges */
[root@localhost sysconfig]# NETCF_DEBUG=1 ncftool
ncftool>
If I reboot, ncftool is broken again, with the same error, until a network restart.
Note the following line in iptables:
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT -m comment --comment "Forwarding
for VM bridges"
If I comment out that entire line with a #, I'm somewhat surprised when I run ncftool,
to see iptables restart and this line is deleted.
[root@localhost sysconfig]# NETCF_DEBUG=1 ncftool
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
ncftool> quit
I found that if I remove '-m comment --comment "Forwarding for VM
bridges"' then ncftool is happy, even after a fresh reboot. So, perhaps it's
an augeas bug with the comment module in iptables? It does seem odd that even with this
line present, ncftool does work if I restart the network service.